Portions of Zeus code appear to have been added to
a computer worm called Ramnit, first identified in January 2010, Ayelet
Heyman, senior malware researcher for Trusteer,
wrote in a blog post Aug. 23. A password-stealing, file-infecting worm
that spreads via networked drives, Ramnit is highly prolific. Symantec
found that Ramnit accounted for 17.3 percent of all malicious software
the company detected in July.

The other recently identified sample is a
crimeware kit based on the leaked Zeus code. Sold in the criminal
underground for $1,800, Ice IX is "the first new generation of Web
applications developed to manage centralized botnets through the HTTP
protocol based on leaked Zeus source code," Jorge Mieres, a malware analyst with Kaspersky Lab, wrote on the Securelist blog Aug. 23.

Like Zeus, Ice IX is designed to steal banking
information. Mieres said this "modified version of Zeus" has been in
the wild since the beginning of the year. At least one example of a
data-stealing botnet based on this malware has been discovered on
Amazon Elastic Compute Cloud (EC2), Mieres said.

The new Ramnit strain took the code injection
capability from Zeus to be able to modify Web pages on the fly as they
are being displayed on the user's Web browser. Zeus used the
man-in-the-browser Web injection module to modify banking sites and
circumvent some of the security measures used by financial
institutions, such as two-factor authentication and transaction signing
systems, to protect online banking sessions. While Trusteer has
identified that Ramnit is using the MitB module, the team is still
analyzing what other modules have been added.

A worm is a type of malware that secretly
integrates itself into program or data files and infects more files
each time the host program is run. The original Ramnit worm could
infect Windows executables, HTML files and documents, Heyman said.
Trusteer researchers discovered a "few weeks ago" that Ramnit had
"morphed" into financial malware and was used to commit financial
fraud, according to Heyman.

Researchers found that Ramnit supported "all basic features required for well-bred financial malware," said Heyman.

Ramnit communicates continuously and securely over
SSL with a command-and-control server in Germany to report its status
and receive configuration updates. The MitB Web injection module lets
the enhanced worm modify Web pages in a covert manner, such as changing
the balance amount, inserting additional transactions on the page, or
adding new textboxes to phish private details from victims.

Ramnit's configuration format is similar to the format used by both Zeus and SpyEye, Heyman said.

"It is clear that from now on, more new crimeware
will be based on Zeus code," Kaspersky's Mieres said. Cyber-criminals
will begin to create their own versions of malware with components
borrowed from Zeus in hopes of quick profit, Mieres said.

"Unlike the past, when financial institutions had
to defend against a limited number of malware platforms, attacks can
now come from virtually any malicious software program-old or new,"
Amit Klein, CTO of Trusteer said. The malware distribution channel has
increased "in scale," said Klein.

With the copy protection on the SpyEye crimeware kit also cracked
and readily available on the underground market, it is likely that
there will be more ordinary malware made dangerous by taking on
components from both Zeus and SpyEye.